rule APT_Chisel_Hafnium_Feb_2021_1
{
    meta:
        description = "Rule for detecting Chisel kit tool used by Hafnium"
        author = "Arkbird_SOLG"
        date = "2021-02-23"
        reference = "Internal Research"   
        adversary = "Hafnium"
        tlp = "white"
        hash = "4afa5fde76f1f3030cf7dbd12e37b717e1f902ac95c8bdf54a2e58a64faade04"
    strings:
    // commands
        $str1 = { 48 61 6e 64 73 68 61 6b 69 6e 67 20 77 69 74 68 20 25 73 2e 2e 2e } // Handshaking with %s...
        $str2 = { 4c 65 74 73 45 6e 63 72 79 70 74 20 63 61 63 68 65 20 64 69 72 65 63 74 6f 72 79 20 25 73 } // LetsEncrypt cache directory %s
        $str3 = { 65 6e 63 6f 64 65 20 65 72 72 6f 72 3a 20 25 77 } // encode error: %w
        $str4 = { 28 65 72 72 6f 72 20 25 73 29 } // (error %s)
        $str5 = { 45 72 72 6f 72 20 6c 6f 61 64 69 6e 67 20 63 6c 69 65 6e 74 20 63 65 72 74 20 61 6e 64 20 6b 65 79 20 70 61 69 72 3a 20 25 76 } // Error loading client cert and key pair: %v
        $str6 = { 4c 69 73 74 65 6e 69 6e 67 20 6f 6e 20 25 73 3a 2f 2f 25 73 3a 25 73 25 73 } // Listening on %s://%s:%s%s
        $str7 = { 46 61 69 6c 65 64 20 74 6f 20 64 65 63 6f 64 65 20 50 45 4d 3a 20 25 73} // Failed to decode PEM: %s
        $str8 = { 43 6c 6f 73 65 64 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 28 25 73 29 } // Closed connection (%s)
        $str9 = { 70 72 6f 78 79 23 25 73 } // proxy#%s
    // code reuse
        $seq1 = { 48 89 05 5a 96 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 3c 67 10 00 48 89 44 24 30 48 c7 44 24 38 01 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 05 fd ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d d7 b4 40 00 48 89 15 d8 b4 40 00 83 3d 41 0d 45 00 00 90 0f 85 b5 0b 00 00 48 89 05 b3 b4 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 50 eb 18 00 48 89 44 24 30 48 c7 44 24 38 01 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 96 fc ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d e8 b2 40 00 48 89 15 e9 b2 40 00 83 3d d2 0c 45 00 00 0f 85 36 0b 00 00 48 89 05 c5 b2 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 e3 ea 18 00 48 89 44 24 30 48 c7 44 24 38 01 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 28 fc ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d da b2 40 00 48 89 15 db b2 40 00 83 3d 64 0c 45 00 00 0f 1f 40 00 0f 85 b0 0a 00 00 48 89 05 b3 b2 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 ee 65 10 00 48 89 44 24 30 48 c7 44 24 38 01 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 b6 fb ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d e8 b2 40 00 48 89 15 e9 b2 40 00 83 3d f2 0b 45 00 00 0f 85 31 0a 00 00 48 89 05 c5 b2 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 04 ea 18 00 48 89 44 24 30 48 c7 44 24 38 01 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 48 fb ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d 5a b3 40 00 48 89 15 5b b3 40 00 83 3d 84 0b 45 00 00 0f 1f 40 00 0f 85 aa 09 00 00 48 89 05 33 b3 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 0f 65 10 00 48 89 44 24 30 48 c7 44 24 38 01 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 d6 fa ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d c8 b0 40 00 48 89 15 c9 b0 40 00 83 3d 12 0b 45 00 00 0f 85 2b 09 00 00 48 89 05 a5 b0 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 25 e9 18 00 48 89 44 24 30 48 c7 44 24 38 01 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 68 fa ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d 5a b2 40 00 48 89 15 5b b2 40 00 83 3d a4 0a 45 00 00 0f 1f 40 00 0f 85 a8 08 00 00 48 89 05 33 b2 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 b4 e8 18 00 48 89 44 24 30 48 c7 44 24 38 01 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 f6 f9 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d 08 b1 40 00 48 89 15 09 b1 40 00 83 3d 32 0a 45 00 00 0f 85 29 08 00 00 48 89 05 e5 b0 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 21 64 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 88 f9 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d 5a af 40 00 48 89 15 5b af 40 00 83 3d c4 09 45 00 00 0f 1f 40 00 0f 85 a6 07 00 00 48 89 05 33 af 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 b1 63 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 16 f9 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d c8 b0 40 00 48 89 15 c9 b0 40 00 83 3d 52 09 45 00 00 0f 85 27 07 00 00 48 89 05 a5 b0 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 45 63 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 a8 f8 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d 9a af 40 00 48 89 15 9b af 40 00 83 3d e4 08 45 00 00 0f 1f 40 00 0f 85 a4 06 00 00 48 89 05 73 af 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 d5 62 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 36 f8 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d c8 b0 40 00 48 89 15 c9 b0 40 00 83 3d 72 08 45 00 00 0f 85 22 06 00 00 48 89 05 a5 b0 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 69 62 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 c8 f7 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d fa ad 40 00 48 89 15 fb ad 40 00 83 3d 04 08 45 00 00 0f 1f 40 00 0f 85 9f 05 00 00 48 89 05 d3 ad 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 f9 61 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 56 f7 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d c8 ae 40 00 48 89 15 c9 ae 40 00 83 3d 92 07 45 00 00 0f 85 1c 05 00 00 48 89 05 a5 ae 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 8d 61 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 e8 f6 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d 7a ad 40 00 48 89 15 7b ad 40 00 83 3d 24 07 45 00 00 0f 1f 40 00 0f 85 99 04 00 00 48 89 05 53 ad 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 1d 61 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 76 f6 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d c8 ae 40 00 48 89 15 c9 ae 40 00 83 3d b2 06 45 00 00 0f 85 1a 04 00 00 48 89 05 a5 ae 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 b1 60 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 08 f6 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d ba ab 40 00 48 89 15 bb ab 40 00 83 3d 44 06 45 00 00 0f 1f 40 00 0f 85 97 03 00 00 48 89 05 93 ab 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 41 60 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 96 f5 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d 28 ad 40 00 48 89 15 29 ad 40 00 83 3d d2 05 45 00 00 0f 85 18 03 00 00 48 89 05 05 ad 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 d5 5f 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 28 f5 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d fa ab 40 00 48 89 15 fb ab 40 00 83 3d 64 05 45 00 00 0f 1f 40 00 0f 85 95 02 00 00 48 89 05 d3 ab 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 65 5f 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 b6 f4 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d 28 ad 40 00 48 89 15 29 ad 40 00 83 3d f2 04 45 00 00 0f 85 16 02 00 00 48 89 05 05 ad 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 f9 5e 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 48 f4 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d 5a aa 40 00 48 89 15 5b aa 40 00 83 3d 84 04 45 00 00 0f 1f 40 00 0f 85 90 01 00 00 48 89 05 33 aa 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 89 5e 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 d6 f3 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d 28 ab 40 00 48 89 15 29 ab 40 00 83 3d 12 04 45 00 00 0f 85 11 01 00 00 48 89 05 05 ab 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 1d 5e 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 68 f3 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d da a9 40 00 48 89 15 db a9 40 00 83 3d a4 03 45 00 00 0f 1f 40 00 0f 85 89 00 00 00 48 89 05 b3 a9 40 00 0f 57 c0 0f 11 44 24 30 48 8d 05 ad 5d 10 00 48 89 44 24 30 48 c7 44 24 38 02 00 00 00 48 8d 44 24 30 48 89 04 24 48 c7 44 24 08 01 00 00 00 48 c7 44 24 10 01 00 00 00 e8 f6 f2 ff ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 28 48 89 0d 28 ab 40 00 48 89 15 29 ab 40 00 83 3d 32 03 45 00 00 }
        $seq2 = { 48 c7 40 70 00 00 00 00 48 8b 48 08 48 89 0c 24 e8 01 47 ff ff 48 8b 84 24 c0 01 00 00 48 89 04 24 e8 70 e1 00 00 48 8b 84 24 b8 04 00 00 48 8b 48 10 48 89 0c 24 e8 9b 6d ff ff 48 8b 84 24 c0 01 00 00 48 89 04 24 e8 4a e1 00 00 48 8b 84 24 b8 04 00 00 48 8b 48 10 48 89 0c 24 e8 75 6d ff ff 48 8b 44 24 08 48 8b 4c 24 10 48 8b 54 24 18 48 8b 9c 24 80 01 00 00 48 89 1c 24 c6 44 24 08 16 48 89 44 24 10 48 89 4c 24 18 48 89 54 24 20 e8 41 4e fe ff 48 8b 44 24 30 48 8b 4c 24 38 48 83 7c 24 30 00 0f 85 9c 17 00 00 0f 57 c0 0f 11 84 24 18 02 00 00 0f 11 84 24 28 02 00 00 0f 11 84 24 38 02 00 00 48 8b 84 24 b8 04 00 00 48 8b 88 b0 00 00 00 48 8b 11 48 8b 59 08 48 8b 49 10 48 89 94 24 30 02 00 00 48 89 9c 24 38 02 00 00 48 89 8c 24 40 02 00 00 48 8d 8c 24 18 02 00 00 48 89 0c 24 e8 2d a2 ff ff 48 8b 84 24 c0 01 00 00 48 89 04 24 90 e8 7b e0 00 00 48 8d 84 24 18 02 00 00 48 89 04 24 e8 0a a2 ff ff 48 8b 44 24 08 48 8b 4c 24 10 48 8b 54 24 18 48 8b 9c 24 80 01 00 00 48 89 1c 24 c6 44 24 08 16 48 89 44 24 10 48 89 4c 24 18 48 89 54 24 20 e8 76 4d fe ff 48 8b 44 24 30 48 8b 4c 24 38 48 83 7c 24 30 00 66 0f 1f 44 00 00 0f 85 ab 16 00 00 48 8b 84 24 b8 04 00 00 48 8b 48 10 80 79 53 00 0f 85 a9 15 00 00 48 8b 48 18 48 8b 51 20 48 8b 0a 48 8b 9c 24 80 01 00 00 0f b7 73 40 66 89 34 24 ff d1 48 8b 44 24 08 48 89 84 24 f8 00 00 00 48 8b 4c 24 10 48 89 8c 24 38 01 00 00 48 8b 58 20 48 8b b4 24 80 01 00 00 48 8b 7e 48 4c 8b 84 24 b8 04 00 00 4d 8b 88 b0 00 00 00 4d 8b 50 08 4d 8b 58 10 48 89 0c 24 48 89 7c 24 08 4c 89 4c 24 10 4c 89 54 24 18 4c 89 5c 24 20 ff d3 48 8b 44 24 28 48 8b 4c 24 30 48 8b 5c 24 38 48 83 7c 24 30 00 0f 85 c0 14 00 00 48 85 c0 0f 84 93 00 00 00 48 89 84 24 30 01 00 00 48 8b 08 48 8b 50 08 48 8b 58 10 48 85 c9 0f 84 7b 13 00 00 48 8b 84 24 c0 01 00 00 48 89 04 24 48 89 4c 24 08 48 89 54 24 10 48 89 5c 24 18 e8 2c df 00 00 48 8b 84 24 30 01 00 00 48 8b 08 48 8b 50 08 48 8b 58 10 48 85 c9 0f 84 21 12 00 00 48 8b 84 24 80 01 00 00 48 89 04 24 c6 44 24 08 16 48 89 4c 24 10 48 89 54 24 18 48 89 5c 24 20 e8 2b 4c fe ff 48 8b 44 24 30 48 8b 4c 24 38 48 83 7c 24 30 00 0f 85 c6 11 00 00 48 8b 84 24 80 01 00 00 48 8b 48 48 48 83 b9 90 00 00 00 01 90 0f 8d 0b 10 00 00 31 c9 48 89 8c 24 78 01 00 00 48 8d 05 e9 5c 24 00 48 89 04 24 48 c7 44 24 08 04 00 00 00 48 c7 44 24 10 04 00 00 00 e8 4e cd e2 ff 48 8b 44 24 18 c6 00 0e 48 8b 8c 24 c0 01 00 00 48 89 0c 24 48 89 44 24 08 48 c7 44 24 10 04 00 00 00 48 c7 44 24 18 04 00 00 00 0f 1f 00 e8 5b de 00 00 48 8d 05 94 5c 24 00 48 89 04 24 48 c7 44 24 08 04 00 00 00 48 c7 44 24 10 04 00 00 00 e8 f9 cc e2 ff 48 8b 44 24 18 c6 00 0e 48 8b 8c 24 80 01 00 00 48 89 0c 24 c6 44 24 08 16 48 89 44 24 10 48 c7 44 24 18 04 00 00 00 48 c7 44 24 20 04 00 00 00 e8 44 4b fe ff 48 8b 44 24 30 48 8b 4c 24 38 48 83 7c 24 30 00 0f 85 1f 0f 00 00 48 8b 84 24 80 01 00 00 48 89 04 24 66 90 e8 bb 43 fe ff 48 8b 44 24 10 48 8b 4c 24 18 48 83 7c 24 10 00 0f 85 d6 0e 00 00 48 8b 84 24 80 01 00 00 48 89 04 24 e8 34 4c fe ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 10 48 8b 5c 24 10 48 8b 74 24 08 48 8b 7c 24 08 48 83 7c 24 18 00 0f 85 7b 0e 00 00 48 8b 84 24 80 01 00 00 48 8b 48 48 48 83 b9 90 00 00 00 01 0f 8c 55 0e 00 00 48 8d 0d e9 3f 26 00 66 0f 1f 84 00 00 00 00 00 48 39 cf 0f 85 30 0e 00 00 48 89 94 24 b8 01 00 00 0f 85 4f 0d 00 00 48 89 14 24 0f 1f 44 00 00 e8 db 9e ff ff 48 8b 84 24 c0 01 00 00 48 89 04 24 e8 2a dd 00 00 48 c7 84 24 80 03 00 00 00 00 00 00 48 8d bc 24 88 03 00 00 0f 57 c0 48 8d 7f f0 66 0f 1f 84 00 00 00 00 00 66 0f 1f 44 00 00 48 89 6c 24 f0 48 8d 6c 24 f0 e8 de c6 e4 ff 48 8b 6d 00 48 8b 84 24 b8 01 00 00 48 8b 48 18 48 8b 50 20 48 8b 58 28 48 89 8c 24 80 03 00 00 48 89 94 24 88 03 00 00 48 89 9c 24 90 03 00 00 48 8b 8c 24 80 01 00 00 48 89 0c 24 48 8b 94 24 80 03 00 00 48 89 54 24 08 48 8d 7c 24 10 48 8d b4 24 88 03 00 00 48 89 6c 24 f0 48 8d 6c 24 f0 e8 ca c9 e4 ff 48 8b 6d 00 e8 43 27 00 00 48 8b 84 24 80 00 00 00 48 8b 8c 24 88 00 00 00 48 83 bc 24 80 00 00 00 00 0f 85 4a 0c 00 00 48 8b 94 24 b8 01 00 00 48 83 7a 20 00 0f 84 26 0c 00 00 48 8b 94 24 80 01 00 00 48 8b 8a 98 00 00 00 48 8b 9a 90 00 00 00 48 85 c9 0f 86 7e 13 00 00 48 8b 03 48 8b 88 a0 00 00 00 48 8b 80 a8 00 00 00 48 89 8c 24 f0 00 00 00 48 89 84 24 20 01 00 00 48 89 14 24 e8 88 4a fe ff 48 8b 44 24 18 48 8b 4c 24 20 48 8b 54 24 08 48 8b 5c 24 10 48 83 7c 24 18 00 0f 85 9d 0b 00 00 48 8b 84 24 f0 00 00 00 48 8b 8c 24 20 01 00 00 48 89 94 24 00 01 00 00 48 89 8c 24 20 01 00 00 48 89 84 24 f0 00 00 00 48 89 9c 24 40 01 00 00 48 8b b4 24 80 01 00 00 48 8b 7e 48 48 83 }
        $seq3 = { 48 89 34 24 e8 65 6c fe ff 48 8d bc 24 f8 03 00 00 48 8d 74 24 08 48 89 6c 24 f0 48 8d 6c 24 f0 e8 2f be e4 ff 48 8b 6d 00 48 8b 84 24 80 01 00 00 48 8b 48 48 48 8b 51 58 48 8b 0a 48 89 e7 48 8d b4 24 f8 03 00 00 0f 1f 80 00 00 00 00 48 89 6c 24 f0 48 8d 6c 24 f0 e8 f7 bd e4 ff 48 8b 6d 00 ff d1 48 8b 84 24 b0 00 00 00 48 8b 8c 24 b8 00 00 00 48 83 bc 24 b0 }
    condition:
        uint16(0) == 0x5a4d and filesize > 100KB and 2 of ($seq*) and 7 of ($str*)
}
